CISA issues alert on clickjacking vulnerabilities in password manager browser extensions

Browser-extension password managers that autofill credentials on websites face vulnerabilities linked to clickjacking attacks, which can permit unauthorized credential exposure.

This advisory covers security issues identified through recent research involving Document Object Model (DOM)-based manipulation, revealing that several password managers remain exposed when users visit malicious or compromised sites. These vulnerabilities concern multiple password managers and browser combinations but are not tied to specific Common Vulnerabilities and Exposures (CVE) identifiers. DOM-based clickjacking differs from traditional iframe-based methods by exploiting the injection of interactive UI elements by browser extensions directly into the web page's DOM. Attackers can leverage JavaScript to render these elements invisible while retaining click functions, aligned with familiar page components like cookie banners or CAPTCHAs. This form of clickjacking relies on user interaction with crafted site elements that activate password manager autofill features injected in the DOM.

Compromise through such techniques allows attackers to coerce users into unintentionally revealing or autofilling stored credentials, potentially resulting in unauthorized access to sensitive accounts and stored password data. Because DOM-based mechanisms can circumvent established clickjacking defenses, different browsers and password-manager vendors show varying degrees of exposure as ongoing mitigation efforts progress.

Users are recommended to consult vendor information for updates concerning their browsers and password managers and to apply all relevant patches promptly. Adjusting or disabling autofill features is an option for reducing risk from clickjacking, although available controls vary by product. Awareness that these attacks can also occur on trusted but compromised websites is advised.

Mitigation of these clickjacking vulnerabilities requires coordinated action: developers must integrate clickjacking protections on websites, password-manager vendors need to enhance extension security, and users should recognize residual risks. Collaboration among all parties is necessary since no single entity can fully resolve the exposure.

Credit is extended to Marek Tóth for presenting the research and Jonathan Leitschuh for reporting it. This advisory was authored by Ben Koo.